0

This is the line of code that is causing the error:

$result = $mysqli->query("SELECT * FROM 'accounts'.'users' WHERE email='$email' AND hash='$hash' AND active='0'") or die($mysqli->error);

and this is the error that shows:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''accounts'.'users' WHERE email='testemail@email.com' AND hash='76dc611d6eba' at line 1

However, if I print the value of hash I get this "76dc611d6ebaafc66cc0879c71b5db5c" the value that I want to search with and the value that is stored in the database. I am not sure if it is just being shortened for the error message of if something else is happening.

Marcin Orlowski
  • 72,056
  • 11
  • 123
  • 141
maxgoodman
  • 3
  • 2
  • Also please see [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Alex K. Aug 07 '18 at 10:30

2 Answers2

2

Try changing from ' (apostrophe) to ` (backtick) or simply removed the single quotes from db/table name, so your query looks like this:

SELECT * FROM `accounts`.`users` WHERE email='$email' AND hash='$hash' AND active='0'
Marcin Orlowski
  • 72,056
  • 11
  • 123
  • 141
Igor Ilic
  • 1,370
  • 1
  • 11
  • 21
  • Doing either of these (Removing and changing to backticks) gives me a "No database selected" error instead – maxgoodman Aug 07 '18 at 10:15
  • @maxgoodman - you've not selected a DB when creating the mysqli object, reading [the manual](http://php.net/manual/en/mysqli.construct.php) will help with this – Can O' Spam Aug 07 '18 at 10:28
0

Try removing quotes around database and table name

$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

if ($mysqli->connect_errno) {
 printf("Connect failed: %s\n", $mysqli->connect_error);
 exit();
}

$result = $mysqli->query("SELECT * FROM accounts.users WHERE email='$email' AND hash='$hash' AND active='0'") or die($mysqli->error);
Pramod Patil
  • 2,704
  • 2
  • 14
  • 20